Sourcetypes for the Splunk Add-on for Windows
The latest version of documentation for this product can be found in the Splunk Supported Add-ons manual.
The Splunk Add-on for Windows provides Common Information Model mappings, the index-time and search-time knowledge for Windows events, metadata, user and group information, collaboration data, and tasks in the following formats.
The latest version of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its sourcetypes. See the Common Information Model and Field Mapping Changes for the Splunk Add-on for Microsoft Windows topic in the Reference chapter in this manual for information on changes to the mapping of this information.
| Source type | Description | CIM data models |
|---|---|---|
ActiveDirectory
|
Active Directory related information | n/a |
DhcpSrvLog
|
Microsoft DHCP Server Log information | Network Sessions |
Perfmon:CPUPerfmonMk:CPU
|
CPU usage statistics provided by the Performance Monitor input | Application State, Performance |
Perfmon:LogicalDiskPerfmonMk:LogicalDisk
|
Information about logical disks on the system provided by the Performance Monitor input in single or multikv mode. | Performance |
Perfmon:Memory PerfmonMk:Memory
|
Memory statistics provided by the Performance Monitor input in single or multikv mode | Performance |
Perfmon:Network PerfmonMk:Network
|
Network statistics provided by the Performance Monitor input in single or multikv mode | Performance |
Perfmon:PhysicalDisk PerfmonMk:PhysicalDisk
|
Information about physical disks on the system provided by the Performance Monitor input in single or multikv mode | n/a |
Perfmon:Process PerfmonMk:Process
|
Information about process running on the system provided by the Performance Monitor input in single or multikv mode | Application State, Performance, Endpoint |
Perfmon:ProcessorInformationPerfmonMk:ProcessorInformation
|
Statistics related to processor state and performance | Application State, Inventory, Endpoint, Performance, Vulnerabilities |
Perfmon:System PerfmonMk:System
|
System Information provided by the Performance Monitor input in single or multikv mode | Application State, Performance |
Script:InstalledApps
|
List of installed applications | n/a |
Script:ListeningPorts
|
List of network ports that listen for traffic | Application State, Endpoint |
Script:NetworkConfiguration
|
To get local IP configurations | n/a |
Script:TimesyncConfiguration
|
Information on time synchronization service configuration. | n/a |
Script:TimesyncStatus
|
Information on time synchronization status. | Performance |
WindowsUpdateLog
|
Windows Update log file | Updates |
WinHostMon
|
Windows host monitoring log | Inventory, Performance, Endpoint |
WinNetMon
|
Network related information | n/a |
WinPrintMon
|
Windows Printer related changes | n/a |
WinRegistry
|
Windows Registry changes | Change Analysis, Endpoint, Change |
WMI:ComputerSystem
|
Computer system information provided by WMI | Performance |
WMI:CPUTime
|
CPU usage time provided by WMI | Application State, Performance |
WMI:FreeDiskSpace
|
Free Disk Space provided by WMI | Application State, Performance |
WMI:InstalledUpdates
|
List of installed updates/packages provided by WMI | Updates |
WMI:LocalNetwork
|
Network statistics provided by WMI | Performance |
WMI:LocalPhysicalDisk
|
Physical Disk information provided by WMI | n/a |
WMI:LogicalDisk
|
Information about logical disks on the system, provided by WMI | Performance |
WMI:LocalProcesses
|
Information on processes running locally, provided by WMI | Application State, Endpoint |
WMI:Memory
|
Memory information provided by WMI | Application State, Performance |
WMI:ScheduledJobs
|
Information on Scheduled Jobs provided by WMI | n/a |
WMI:Service
|
Information on services running locally, provided by WMI | Application State, Endpoint |
WMI:Uptime
|
Information on system uptime, provided by WMI | Application State, Performance |
WMI:UserAccounts
|
Information on configured user accounts, provided by WMI | Application State, Inventory |
WMI:Version
|
Information on the system version, provided by WMI | Application State, Inventory |
WMI:WinEventLog:*
|
Windows Event Log data for Application, System and Security - WMI | Application State, Authentication, Change Analysis, Performance, Updates, Vulnerabilities, Endpoint, Event Signatures, Change |
MSAD:NT6:Health |
Active Directory health information | n/a |
MSAD:NT6:SiteInfo |
Active Directory site information | n/a |
MSAD:NT6:Replication |
Active Directory site replication information | n/a |
MSAD:NT6:Netlogon |
Active Directory login statistics | n/a |
MSAD:SubnetAffinity |
Active Directory Domain Subnet Affinity problem information | n/a |
WinEventLog
|
Windows Event Log data for Application, System, Security, DFS Replication, Directory Service, File Replication Service, Key Management Service, DNS Server provided by WinEventLog in XML or standard format. | Application State, Authentication, Change Analysis, Performance, Updates, Vulnerabilities, Endpoint, Event Signatures, Change |
Perfmon:Processor
|
n/a | |
Perfmon:Network_Interface
|
Network_Interface statistics provided by the Performance Monitor input in single or multikv mode | n/a |
Perfmon:DFS_Replicated_Folders
|
Information about dfs replicated folders on the system provided by the Performance Monitor input in single or multikv mode. | n/a |
Perfmon:NTDS
|
Information about NTDS on the system provided by the Performance Monitor input in single or multikv mode. | n/a |
Perfmon:DNS
|
Information about DNS on the system provided by the Performance Monitor input in single or multikv mode. | n/a |
MSAD:NT6:DNS-Zone-Information |
Information about DNS zones | n/a |
MSAD:NT6:DNS-Health |
Information about the health of DNS servers | n/a |
MSAD:NT6:DNS |
DNS server activity statistics | n/a |
In versions 5.0.0 and later of the Splunk add-on for Windows, the source type WinEventLog is subdivided into WinEventLog for Classic channels, and XmlWinEventLog for XML channels. See
Source and sourcetype changes for WinEventLog data.
Source types for backward compatibility
The Splunk Add-on for Windows includes the following source types for backward compatibility.
| Sourcetype | Description | CIM data model(s) |
|---|---|---|
fs_notification
|
File system notification changes. Included for backward compatibility. | Change Analysis |
Perfmon:CPUTime
|
CPU usage statistics provided by the Performance Monitor input in single or multikv mode. Included for backward compatibility. | Performance |
Perfmon:FreeDiskSpace
|
Free Disk Space statistics provided by the Performance Monitor input. Included for backward compatibility. | Performance |
Perfmon:LocalNetwork
|
Free Disk Space statistics provided by the Performance Monitor input. Included for backward compatibility. | Performance |
Last modified on 06 November, 2023
| Splunk Add-on for Windows | Release notes for the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® Add-on for Windows: 8.1.2
Download manual
Feedback submitted, thanks!